Read &amp; Full Access

Read & Full Access

jsorenson3

We have a login page that we have people login to access information. We want to be able to deny access to a certain link depending on what password they enter.

the login informatin is pulled from the DEALER_NUM and PASSWORD field in the table. I have created a field called PASSWORD2 which is what we will be using for the special access if thats what you want to call it.

I am stumped on how exactly to write it, but in a nutshell again. The Dealer Number will always be the same and just need to check which password they are inputting and if they input the 2nd one I will add what it needs to deny

//PARSE LOGIN (if user just sent un and pw, check db for login)
if ($login) {
	$rh_legaluser = mysql_query("select id from dealers where DEALER_NUM = '$login' and PASSWORD = '$password'");
	$num_rows = mysql_num_rows($rh_legaluser);

if ( $num_rows > 0) {

	//checks to see if user is Canadian or American
if(substr($login, 0, 1)=='C'){
  setcookie(dealerLogin,"$login",null,"/"); //set cookie to keep track of login
	  $dealerLogin = $login; //necessary as cookies aren't available right away
	  echo "<script>document.location.href='http://www.domain.com/secure/can/index.php';</script>";
}else{
  setcookie(dealerLogin,"$login",null,"/"); //set cookie to keep track of login
	  $dealerLogin = $login; //necessary as cookies aren't available right away
	}
} else {
	$noLogin = "Unable to login. The supplied username and password were incorrect.";
}
}

Here is for the login prompt

//LOGIN PROMPT
} else { //not logged in - display prompt to do so
	if ($noLogin) {
		$contentHTML .= "<p> $noLogin</p>
		<p>Please try again</p>";
	}
	$headerHTML = '<div class="header">Please Log In</div><br>';
	$contentHTML .= '
	<form action="'.$PHP_SELF.'?'.$QUERY_STRING.'" method="post">
		<div class="element" style="width: 50%;">
			<div class="subhead_em">Returning Dealers</div>
			<table border="0">
				<tr>
					<td>Dealer ID</td><td><input type="text" name="login" value="'.$login.'"></td>
				</tr>
				<tr>
					<td>Password</td><td><input type="password" name="password"></td>
				</tr>
			</table>
			<input type="submit" value="Login">

Thanks in advance

revdev

what i would do is set a cookie if the password entered = the "special" password. then check for that cookie on the page you want to allow/deny access to. if it's not set, then redirect them to another page or something.

Weedpacket

revdev wrote:
what i would do is set a cookie if the password entered = the "special" password.

Can I steal your cookie?

On the page that you're protecting, check the login details of the user requesting it (storing these in session variables so you can identify this user each time they make a request) against what is in the db. If they're not authorised to view the page (however you make that determination), call header() to redirect them to a page they are allowed to see and then call exit() to stop the script from going any further.